System and method for detecting malware in file based on genetic map of file

ABSTRACT

A method for detecting whether a file includes malware is performed on a device. The method includes extracting information of at least two predetermined items in the file; creating a genetic map for the file by altering the extracted information into a previously set format; comparing the created genetic map with a previously stored malware genetic map to obtain a similarity between the created genetic map and the previously stored malware genetic map; and determining that the file is a malware when the similarity is higher than a reference value.

TECHNICAL FIELD

The present invention relates to system and method for detecting theexistence of malware in a file, and more particularly to system andmethod for determining whether a file includes malware on the basis of agenetic map which can be equally applied to several files.

BACKGROUND ART

Malware is the malicious software. Generally, such malware isinfiltrated into a computer by being as a file. The infiltrated malwarecauses a malfunction of the computer by disturbing computer operations,or functions as an information leakage path allowing the personalinformation of a user to be externally leaked from the computer. Assuch, it is necessary to delete or modify a file after an inspection fordetermining whether the file is malware, in order to prevent the damagecaused by the malware.

Conventionally, a signature is used to detect malware or determinewhether an inspection target file is malware. More particularly, avalue, such as a hash value or CRC (Cyclic Redundancy Check) value,representing characteristics of a file is derived from a part of thefile which has been known as malware and is stored in a data base. If atarget file to be inspected about infection with malware is received, asignature is derived from the target file in the same way as the aboveand is compared with the previously derived signatures of filesincluding the malware, thereby determining whether the target file ismalware.

DISCLOSURE OF INVENTION Technical Problem

However, such a method using the signature forces the result of thedetermination to be varied according to how to generate the signaturefor the target file. In other words, a value of the signature depends onwhere the signature is derived within the target file. If the signatureis derived from a wrong portion of the target file, the determinationcan be inaccurate regarding whether the target file is malware. Morespecifically, positions of codes of a file may be shifted when new codeis inserted into the file, so it is difficult to select an exact portionof the file which would be used for creating the signature. Due to this,a detection accuracy of the malware cannot be uniformly maintained.

Further, since the signature is one of items representingcharacteristics of a file, it is difficult to detect every kind ofmalware using only the signature. Actually, a plurality of mutationsderived from a kind of malware may occur. In this case, the plurality ofmutations derived from the malware may not be detected even through thecomparison of the signature.

Undetected malware can cause considerable damage to society, becausecomputers are used in every field of society including privateindividuals, enterprises, public institutions and so on. As such, it isnecessary to develop malware detection techniques capable of mitigatingdeficiencies of the conventional detection method using the signature,uniformly maintaining high detection accuracy, and detecting theplurality of mutated malware.

Solution to Problem

In view of the above, the present invention provides a malware detectionsystem and method that are adaptable to uniformly maintain highdetection accuracy and detect a plurality of mutated malware.

In accordance with a first embodiment of the invention, there isprovided that a method performed on a device for detecting whether afile includes malware, the method comprising: extracting staticinformation of at least two predetermined items in the file; creating agenetic map for the file by altering the extracted information into apreviously set format; comparing the created genetic map with apreviously stored malware genetic map to obtain a similarity between thecreated genetic map and the previously stored malware genetic map; anddetermining that the file includes malware when the similarity is higherthan a reference value.

In accordance with a second embodiment of the invention, there isprovided a method performed on a device for detecting whether a fileincludes a malware, the method comprising: extracting information of atleast two predetermined items in the file; creating a genetic map forthe file by altering the extracted information into a previously setformat; deriving a signature from the created genetic map of the file;comparing the derived signature with a malware signature; anddetermining the file to include malware when the derived signature issubstantially identical to the malware signature.

In accordance with a third embodiment of the invention, there isprovided a system for detecting whether a file includes malware, thesystem comprising: an information extractor for extracting informationof at least two predetermined items in the file; a genetic map generatorfor creating a genetic map of the file by altering the extractedinformation into a previously set format; and a comparator for comparingthe created genetic map with a previously stored malware genetic map toobtain a similarity between the created genetic map and the previouslystored malware map and determining the file to include malware when thesimilarity is higher than a reference value.

In accordance with a fourth embodiment of the invention, there isprovided a system for detecting whether a file includes malware, thesystem comprising: an information extractor for extracting informationabout at least two predetermined items in the file; a genetic mapgenerator for creating a genetic map for the file by altering theextracted information into a previously set format; a signaturegenerator for deriving a signature from the created genetic map of thefile; a comparator for comparing the derived signature with a malwaresignature and determining the file to include malware when twosignatures are substantially identical.

Advantageous Effects of Invention

The malware detection method and system in accordance with theembodiments of the present invention can consider all thecharacteristics of a file in the detection of malware by using thegenetic map. As such, the detection accuracy of the malware is rarelyaffected when any one among the characteristics of the file is varied.Therefore, a high detection accuracy of the malware can be maintained.Also, a plurality of mutated malware can be detected.

Moreover, the genetic map is uniformly created regardless of thecharacteristics of the file. As such, the genetic map is rarely affectedwith the configuration and content of the file. Accordingly, the malwaredetection can be systematically and uniformly executed.

While the invention has been shown and described with respect to theembodiments, it will be understood by those skilled in the art thatvarious changes and modifications may be made without departing from thescope of the invention as defined in the following claims.

BRIEF DESCRIPTION OF DRAWINGS

The above and other objects and features of the present invention willbecome apparent from the following description of exemplary embodimentsgiven in conjunction with the accompanying drawings, in which:

FIG. 1 is a schematic diagram showing a configuration of a malwaredetection system in accordance with the present invention;

FIG. 2 is a flow chart illustrating a malware detection method inaccordance with the first embodiment of the present invention;

FIG. 3 is a flow chart illustrating a malware detection method inaccordance with the second embodiment of the present invention;

FIG. 4 is a block diagram showing a malware detection system inaccordance with the third embodiment of the present invention; and

FIG. 5 is a block diagram showing a malware detection system inaccordance with the fourth embodiment of the present invention.

BEST MODE FOR CARRYING OUT THE INVENTION

Hereinafter, embodiments of the present invention will be described indetail with reference to the accompanying drawings.

FIG. 1 is a schematic diagram showing the configuration of a malwaredetection system in accordance with the present invention. The malwaredetection system of the present invention includes a client device 10and an analysis device 20.

The client device 10 is a system configured to execute at least oneprogram file. Actually, the client device 10 may be any one of a PC(Personal Computer), a PDA (Personal Digital Assistant), a smart phone,a server computer, and a variety of devices, which are configured toexecute at least one program file. The client device 10 can be connectedto the analysis device 20 through a network 30.

The analysis device 20 receives files and determines whether thereceived files are infected with malware. To this end, the analysisdevice 20 may include at least one computer system. In other words, theanalysis device 20 may include a combination of at least two computersystems or a single computer system. The analysis device 20 generates agenetic map for each of the received files and compares the generatedgenetic map with genetic maps of the malware (hereinafter, “maliciousgenetic maps”) and/or genetic maps of normal files (hereinafter,“whitelist genetic maps”), which have been previously stored in adatabase 40, in order to determine whether the received files areinfected with malware. If it is determined that a certain file of thereceived files is determined to be infected with malware, the analysisdevice 20 designates the generated genetic map for the certain file as amalicious genetic map and stores the newly designated malicious geneticmap in the database 40 so that the newly designated malicious geneticmap can be used in the determination of malware later. Also, if it isdetermined that another file of the received files is a normal file, theanalysis device 20 designates the generated genetic map for another fileas a whitelist genetic map and stores the newly designated whitelistgenetic map in the database 40 so that the newly designated whitelistgenetic map can also be used in the determination of malware later.

Also, in a case that the malicious genetic map and/or the whitelistgenetic map are newly designated, the analysis device 20 can transmitinformation about the newly designated malicious genetic map and/orwhitelist genetic map to the client device 10. For example, the analysisdevice 20 can derive a signature, such as a hash value or a CRC value,from the newly designated malicious genetic map and/or whitelist geneticmap and transmit the derived signature to the client device 10. Thistransmission of the signature can be executed either every fixedinterval or whenever the new malicious or whitelist genetic map isdesignated. Alternatively, the derivation and transmission of thesignature can be executed by a separate computer system 50 instead ofthe analysis device 20. As an example of the separate computer system50, a separated update server can be employed which periodicallysearches the database 40, derives the signatures from the maliciousgenetic maps and/or the whitelist genetic maps, which are stored in thedatabase 40, and transmits the derived signatures to the client device10. As another example of the separate computer system 50, a separatedevice being notified of the detection of malware from the analysisdevice 20 can be employed which recognizes the existence of malware onthe basis of the notice from the analysis device 20, creates thesignatures, and transmits the derived signatures to the client device10.

The client device 10 can also generates a genetic map for a receivedfile and determine whether the file includes malware based on thegenerated genetic map and information about the malware, such as asignature, which is received from the analysis device 20. Moreover, whenit is determined that the received file includes the malware, the clientdevice 10 transmits information about the detected malware to theanalysis device 20 so that the information about the detected malware isupdated in the database 40 by the analysis device 20.

The genetic map of a file corresponds to an information aggregationwhich includes information of at least two predetermined items within afile. The items can be previously selected to include the informationcapable of representing characteristics of the file, but the items arenot varied in kind and number even though the characteristics of filesare different. The information of the same items can be derived fromeach of several files and the genetic maps can be created based on thederived information. Although the information of any one of thepredetermined items for a specific file does not either exist or doesnot relate with the characteristics of the specific file, theinformation of all the selected items is included in the genetic map. Inother words, if the information of one of the predetermined items doesnot exist in the specific file, information representing non-existencethereof is included in the genetic map. As such, all the predetermineditems included in the genetic map can be always maintained in kind andnumber. The use of the genetic map enables the number of items beingused for determining the similarity of a file to be increased comparedto the conventional method which uses the signature. Moreover, althoughthe information of any one of the selected items is modified, the use ofthe genetic map allows the determination accuracy to be uniformlymaintained because the information of others of the predetermined itemsis further considered. The creation and use of the genetic informationin association with embodiments of the present invention will bedescribed in detail later.

FIG. 2 is a flow chart illustrating a malware detection method inaccordance with the first embodiment of the present invention. Themethod of FIG. 2 may be executed by the analysis device 20 illustratedin FIG. 1, for an example.

The malware detection method in accordance with the first embodiment ofthe present invention extracts information of predetermined items froman inspection target file at step 210. The predetermined items for theextraction are consistent without being varied along a kind of thetarget file. The predetermined items may include at least one amongheader field, a source field, a downloaded position field, mother filefield, entropy about a block, and a CRC value for a block of the targetfile. Some information, such as entropy and CRC value, requiring a codecalculation can be extracted from a specific block which has beenpreviously selected in a file, in order to promote efficiency.

At a next step 220, the extracted information changes in a previouslyset format, in order to create a genetic map for the target file. Forinstance, the genetic map can be created by arranging the extractedinformation along a previously set bit-map. In other words, the geneticmap can be created by previously determining a bit-map range for each ofthe extracted information and arranging based on the determination.Therefore, every device accessing the genetic map can read desiredinformation by selecting a corresponding bit-map range.

More specifically, the predetermined items within the genetic map mayinclude a branch distance which is included in a branch instructionwithin the target file. For example, a JMP instruction in assemblylanguage, a CALL instruction and a conditional branch instruction, whichare used for designating distances to memory addresses to be shifted,can be extracted from the target file and included in the genetic map.In this case, when branch distances extracted from the target filenumber at least two, a logical sum or an arithmetic sum of the branchdistances can be used as branch distance information. The branchdistance information is rarely varied even though a code is modified.This results from the fact that the branch distance information affectsbasic structure of a program configuration. Actually, the programconfiguration would be entirely changed when the branch distanceinformation is varied.

As such, the genetic map including the branch distance information makesit possible to accurately determine not only the existence of malwarebut also a mutation thereof. Also, a determination for a similaritybetween files can be efficiently and rapidly performed by consideringthe numerically standardized branch distance instead of the entireconfiguration of the program. Moreover, since the determination for thesimilarity between the files is mechanically performed, it can preventthe determination from being different in accordance with the ability ofan analyzer.

Thereafter, the created genetic map for the target file is compared withrespective malware genetic maps which were previously stored in the database 40, at a step 230. For example, a similarity between the createdgenetic map and the malware genetic map can be determined based on thenumber of items of the created genetic map whose information values areidentical to those of corresponding items of the malware genetic map.Alternatively, each of the items in the genetic map can have a weightvalue different from one another. In this case, a similarity between thetwo genetic maps depends upon a sum of the weight values for the itemsof the created genetic map whose information values are identical tothose of corresponding items of the malware genetic map. In this manner,a mutated item or an error in an item very rarely affects the entiresimilarity determination because the similarity determination depends ona plurality of items. Therefore, the accuracy of the similaritydetermination can be constantly maintained.

Subsequently, the determined similarity is compared with a referencevalue at a step 240. The reference value can be predetermined by ananalyzer. If the determined similarity is higher than the referencevalue, the target file is determined to be malware and then, a step 270of the malware designation which will be explained later is performed.

On the other hand, steps 250 and 260 can be performed before the step270 in order to prevent mistakes in determining the malware. At the step250, the created genetic map is compared with respective whitelistgenetic maps which were previously stored in the data base 40, therebyobtaining another similarity between the two genetic maps. Next, anothersimilarity obtained through the comparison between the created geneticmap and a whitelist genetic map is compared with another reference valueat the step 260. When another similarity is less than another referencevalue, the target file is definitely determined to be malware and then,the step 270 is performed. Another reference value can be predeterminedby the analyzer. On the contrary, if another similarity is higher thananother reference value, an additional procedure is necessary for thetarget file because the target file is similar to not only the normalfile but also the malware. To this end, a step 280 of providing thetarget file to the analyzer for an analyzer's determination may beperformed.

The above-mentioned steps 250, 260 and 280 are performed for preventinga normal file from being mistakenly identified as malware. As such, thesteps 250, 260 and 280 can be removed from the malware detection methodin accordance with the first embodiment of the present invention.

Next, the created genetic map is designated as a new genetic map of themalware and stored in the data base, at the step 270. As such, the newlystored malware genetic map can also be used for detecting malwarethereafter. In this way, the genetic maps of the malware can becontinuously updated and accumulated in the database 40. Accordingly,the accuracy for the determination of malware can be enhanced.

Going back to the step 240, on the contrary, when the calculatedsimilarity between the created genetic map and the malware genetic mapis lower than the reference value, the file is determined to includenormal codes and then, a step 290 of the normal file designation isperformed. At the step 290, the created genetic map can be designated asa new genetic map of a normal file and stored in the data base 40.

Alternatively, the above-mentioned steps 250 and 260 can be furtherperformed before the step 290, in order to enhance the accuracy ofdetermining whether the file includes only the normal codes. Morespecifically, the created genetic map of the target file is comparedwith a genetic map of the normal file, thereby obtaining anothersimilarity between the created genetic map and the whitelist geneticmap. Subsequently, another similarity is compared with another referencevalue. Only when another similarity is higher than another referencevalue, the target file is definitively determined to include the normalcodes and then, the step 290 is performed which allows the createdgenetic map to be designated as a new whitelist genetic map and to bestored in the data base 40.

At a step 300, a signature is derived from the created genetic map ofthe target file which is determined to be the malware. The signature mayinclude a hash value or a CRC value. The derived signature can betransmitted to an external device, such as a client device, and be usedby the external device for determining whether the file includesmalware. The malware detection method using the signature shows highereffectiveness than that including the process of comparing the geneticmaps entirely. Therefore, the malware detection method using thesignature can be effectively used in a device, such as a personalcomputer, that does not have enough resources.

FIG. 3 is a flow chart illustrating a malware detection method inaccordance with the second embodiment of the present invention. Themethod of FIG. 3 may be executed by the client device 10 illustrated inFIG. 1, as an example.

The malware detection method in accordance with the second embodiment ofthe present invention extracts information of at least two items, whichare previously determined, from an inspection target file at a step 410.For example, the client device 10 extracts the information of thepredetermined items from the inspection target file received from anetwork. Continuously, the extracted information changes in a previouslyset format, thereby creating a genetic map for the received target file.The detailed description for the information extraction process and thecreated genetic map will be omitted to avoid overlapping with thedescription associated with the first embodiment of FIG. 2.

Thereafter, a signature is derived from the created genetic map of thetarget file at a step 430. For instance, a hash value or a CRC value canbe derived from the created genetic map which has a serial combinedconfiguration of the information, through a calculation process, and beused as a signature. The derived signature is compared to at least onemalware signature in order to, at a step 440. The malware signature maybe obtained by receiving the malware signatures prepared through themethod which is described referring to FIG. 2. Alternatively, themalware signature can be received from the data base by connecting theclient device 10 to the data base 40. The comparison of signaturesinstead of the genetic maps can reduce comparison and operation loadsand resource consumption.

At a step 450, it is determined whether two signatures are substantiallyidentical. If two signatures are not identical, the target file may bedetermined to include only normal code and then, a step 460 of a normalfile designation is performed. At the step 460, the target file isdesignated as a normal file and information about the normal file may bestored in the client device 10 or be transmitted to an external device,such as the analysis device 20 or the data base 40, regularly.

On the contrary, when it is determined that the derived signature issubstantially identical to the malware signature, a step 470 may beperformed in which the derived signature is compared to at least onenormal file signature. Subsequently, another determination of whetherthe derived signature is substantially identical to at least one normalfile signature is performed at a step 480. If the result of the step 480indicates that the derived signature is not identical to all of thenormal file signatures, the received target file is determined toinclude malware and then, a step 490 of a malware designation isperformed. At the step 490, the target file is designated as malware.Also, the newly designated malware together with the derived signaturemay be transmitted from the client device 10 to the analysis device 20at a step 500. At this time, the analysis device 20 updates the database 40 using the information received from the client device 10.Alternatively, the step 500 can be omitted. In other words, the clientdevice 10 cannot transmit the newly designated malware and the derivedsignature to the analysis device 20. In this case, the analysis device20 can update the data base 40 without receiving any information fromthe client device 10 by its own operation.

On the other hand, if it is determined that the derived signature issubstantially identical to at least one normal file signature, theclient device 10 can not determine whether the target file includesmalware or only normal code. In this case, the client device 10 enters astep 500 and transmits information about the target file to the analysisdevice 20. Then, the analysis device 20 can perform the malwaredetection method of FIG. 2 for the target file corresponding to thereceived information, or provide an analyzer with the file correspondingto the received information, in order to obtain an accuratedetermination result for the target file.

Although the malware detection method of the second embodimentillustrated in FIG. 3 is preferably executed in the client device 10,the method of FIG. 3 can be executed in the analysis device 20 for easymalware detection. Similarly, the malware detection method of the firstembodiment illustrated in FIG. 2 can also be executed in the clientdevice 10.

FIG. 4 is a block diagram showing a malware detection system inaccordance with the third embodiment of the present invention. Thesystem of FIG. 4 may be performed on the analysis device 20 shown inFIG. 1.

The malware detection system in accordance with the third embodiment ofthe present invention may include an information extractor 610, agenetic map generator 620, a signature generator 630, a comparator 640,a communication unit 650 and a memory 660.

The information extractor 610 receives an inspection target file andderives information of predetermined items from the target file. Detailsof the predetermined items may be stored in the memory 660. As such, theinformation extractor 610 can extracts the information of thepredetermined items using the details stored in the memory 660.Alternatively, a code describing the predetermined items may be storedin an internal memory of the extractor 610. In this case, theinformation extractor 610 can execute the code stored in its internalmemory and extract the information of the predetermined items from thetarget file.

The genetic map generator 620 receives the information extracted by theinformation extractor 610 and changes the extracted information in apreviously set format, thereby creating a genetic map. For example, thegenetic map generator 620 can create the genetic map by arranging theextracted information along a previously set bit-map.

The comparator 640 compares the genetic map created by the genetic mapgenerator 620 with at least one malware genetic map. The malware geneticmap can be received from a data base via the communication unit 650. Thecomparator 640 can calculate a similarity between the created geneticmap and the malware genetic map through the comparing process. Thecomparator 640 can determine whether the two genetic maps are similar toeach other, on the basis of the similarity.

Also, the comparator 640 can compare the created genetic map receivedfrom the genetic map generator 620 with at least one normal file geneticmap. The normal file genetic map can be received from the data basethrough the communication unit 650.

Furthermore, the comparator 640 can command the signature generator 630to create a signature for the created genetic map, on the basis of theresult of the comparison. For instance, when the result indicates thatthe target file is determined to include malware, the comparator 640commands the signature generator 630 to generate a signature for thecreated genetic map of the target file. The signature created by thesignature generator 630 can be transmitted to the client device 10 viathe communication unit 650.

The communication unit 650 may transmit the created genetic map to thedata base 40 and store the created genetic map in the data base 40, whenthe target file is determined to include malware. In addition,communication unit 650 may also transmit the created genetic map to thedata base 40 and store the created genetic map in the data base 40, whenthe target file is determined to be a normal file.

FIG. 5 is a block diagram showing a malware detection system inaccordance with the fourth embodiment of the present invention. Thesystem of FIG. 5 may be performed on the client device 10 shown in FIG.1.

The malware detection system in accordance with the fourth embodiment ofthe present invention includes an information extractor 710, a geneticmap generator 720, a signature generator 730, a comparator 740, acommunication unit 750 and a memory 760. The information extractor 710and the genetic map generator 720 are the same as those of the systemillustrated in FIG. 4. As such, the descriptions of the informationextractor 710 and the genetic map generator 720 will be omitted to avoidoverlapping those of FIG. 4.

The signature generator 730 derives a signature from the genetic map ofthe target file created by the genetic map generator 720. The derivedsignature is transmitted to the comparator 740. The comparator 740compares the derived signature with at least one malware signature whichare received from an external device, such as an analysis device 20, viathe communication unit 750 or have been previously stored in the memory760. The comparator 740 determines that the target file includes malwarewhen the compared result indicates that the derived signature issubstantially identical to the malware signature. Also, the comparator740 can transmit information about the target file to the externaldevice via the communication unit 750. As such, information about newmalware can be transmitted to the external device and accumulated in thedata base 40.

Moreover, the comparator 740 can compare the derived signature with atleast one signature of the normal file which are received from theexternal device via the communication unit 750 or have been previouslystored in the memory 760. When the compared result indicates that thederived signature is substantially identical to the normal filesignature, the comparator 740 can determine the target file to be anormal file. In a different manner, if the compared result indicatesthat the derived signature is substantially identical to not only themalware signature but also the normal file signature, the comparator 740can defer determining whether the target file includes malware or onlynormal code. In this case, the comparator 740 can inform, via thecommunication unit 750, the external device that it is impossible or toodifficult to determine whether the target file includes malware or onlynormal code, so that the external device performs an accuratedetermination.

As described above, the malware detection method and system inaccordance with the embodiments of the present invention can considerall the characteristics of a file in the detection of malware by usingthe genetic map. As such, the detection accuracy of the malware israrely affected when any one among the characteristics of the file isvaried. Therefore, a high detection accuracy of the malware can bemaintained. Also, a plurality of mutated malware can be detected.

Moreover, the genetic map is uniformly created regardless of thecharacteristics of the file. As such, the genetic map is rarely affectedwith the configuration and content of the file. Accordingly, the malwaredetection can be systematically and uniformly executed.

While the invention has been shown and described with respect to theembodiments, it will be understood by those skilled in the art thatvarious changes and modifications may be made without departing from thescope of the invention as defined in the following claims.

The invention claimed is:
 1. A method performed on a computer fordetecting whether a file includes malware, the method comprising:extracting static information of at least two predetermined items in thefile; creating a genetic map for the file by alternating the extractedinformation into a previously set format; comparing the created geneticmap with a previously stored malware genetic map to obtain a similaritybetween the created genetic map and the previously stored malwaregenetic map; determining that the file includes malware when thesimilarity is higher than a reference value relating to the malware:comparing the created genetic map with previously stored whitelistgenetic map for a whitelist file to obtain another similarity betweenthe created genetic map and the whitelist genetic map; and deferringsaid determining when said another similarity between the createdgenetic map and the whitelist genetic map is higher than anotherreference value related to the whitelist file.
 2. The method of claim 1,wherein the created genetic map includes information representingnon-existence of the information of one item among the predetermineditems when the information of said one item does not exist in the file.3. The method of claim 1, wherein, the information of said at least twopredetermined items are extracted from a part of the file.
 4. The methodof claim 1, wherein the predetermined items include a branch distancewhich is included in a branch instruction within the file.
 5. The methodof claim 1, wherein the predetermined items are selected regardless of akind of the file.
 6. The method of claim 1, the method furthercomprising: storing the created genetic map in a data base, via anetwork, as a new malware genetic map when the file is determined toinclude malware, wherein the previously stored malware genetic map hasbeen stored in the data base.
 7. The method of claim 1, furthercomprising; storing created genetic map in a data base as a newwhitelist genetic map of the whitelist file when said another similaritybetween the created genetic map and the whitelist genetic map is higherthan said another reference value and when the similarity between thecreated genetic map and the previously stored malware genetic map islower than said another reference value related to the whitelist file,wherein the whitelist genetic map has been previously stored in the database.
 8. The method of claim 1, wherein said additional comparing isperformed when the similarity between the created genetic map and thepreviously stored malware genetic map is higher than the reference valuerelated to the malware.
 9. The method of claim 1, further comprising:deriving a malware signature from the created genetic map when the fileis determined to include the malware; and transmitting the derivedmalware signature to another device.